Re: VPN on Secondary Link

sridhar_kamath · ‎05-15-2002

We have 2 Internet link from different ISP terminated on same cisco router. One acts as a primary link and other as secondary link. Secondary link is a backup and will be active only when primary link fails. We have Cisco PIX 506 firewall which also acts as an VPN client will function only when primary link is active. VPN does not function when secondary link is active ie when primary link goes down. I have static route on the router. Please help ASAP

jfrahim · ‎05-21-2002

Are you terminating the IPSec connection on that particular router. If you do, then you have to use a loopback routable address to source the IPSEC connections

Jazib

sridhar_kamath · ‎05-29-2002

I am intiating and terminating IPSEC connection on PIX Firewall. One ethernet card of Firewall is connected to ethernet interface of the router.

ROBERT WATSON · ‎05-29-2002

I am assuming you probably have 2 sets of public addresses 1 set from ISP A and another from ISP B in the event of ISP A going down the FW will have to have a new nated PUBLIC address, well you would NAT in this case on the router and provide route maps to use 2 NAT pools and have 1 static translation for each set of pools to identify as peer FW. your other side will have to have 2 crypto peers in depending on which ISP the FW is using unless you use a wildcard peer. (those options entirely depend on what your terminating against that FW.) This is all guesswork unless you can post an edited copy of the rtr config and IPSEC parameters of each side.

Bob Watson

SBC Data CCNP CCDA

sridhar_kamath · ‎05-30-2002

Yes you are absolute right and you have a great imagination. This will work. Due to security reason I am not in a position to mail you the config. Can you assign some dummy ip adress and mail me the config on router and pix. My other side has already 2 crypto peers. Thanks in advance.